Modified: branches/safari-609.2.1.2-branch/Source/WebKit/ChangeLog (259491 => 259492)
--- branches/safari-609.2.1.2-branch/Source/WebKit/ChangeLog 2020-04-03 19:57:47 UTC (rev 259491)
+++ branches/safari-609.2.1.2-branch/Source/WebKit/ChangeLog 2020-04-03 19:57:49 UTC (rev 259492)
@@ -1,5 +1,35 @@
2020-04-03 Alan Coon <[email protected]>
+ Cherry-pick r258559. rdar://problem/61231877
+
+ Terminate the WebContent process when receiving invalid IPC from a WebInspector session
+ https://bugs.webkit.org/show_bug.cgi?id=209157
+ <rdar://problem/58961055>
+
+ Reviewed by Chris Dumez.
+
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::backForwardGoToItemShared): Add a message check that we are not receiving
+ the request from a WebInspector page.
+ (WebKit::WebPageProxy::maybeInitializeSandboxExtensionHandle): Switch to a release assert.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258559 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-03-17 Brent Fulgham <[email protected]>
+
+ Terminate the WebContent process when receiving invalid IPC from a WebInspector session
+ https://bugs.webkit.org/show_bug.cgi?id=209157
+ <rdar://problem/58961055>
+
+ Reviewed by Chris Dumez.
+
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::backForwardGoToItemShared): Add a message check that we are not receiving
+ the request from a WebInspector page.
+ (WebKit::WebPageProxy::maybeInitializeSandboxExtensionHandle): Switch to a release assert.
+
+2020-04-03 Alan Coon <[email protected]>
+
Cherry-pick r258401. rdar://problem/61231940
WebPageProxy::SetPromisedDataForImage should validate its `imageSize` and `archiveSize` parameters
Modified: branches/safari-609.2.1.2-branch/Source/WebKit/UIProcess/WebPageProxy.cpp (259491 => 259492)
--- branches/safari-609.2.1.2-branch/Source/WebKit/UIProcess/WebPageProxy.cpp 2020-04-03 19:57:47 UTC (rev 259491)
+++ branches/safari-609.2.1.2-branch/Source/WebKit/UIProcess/WebPageProxy.cpp 2020-04-03 19:57:49 UTC (rev 259492)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2020 Apple Inc. All rights reserved.
* Copyright (C) 2012 Intel Corporation. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -272,6 +272,7 @@
#define MESSAGE_CHECK(process, assertion) MESSAGE_CHECK_BASE(assertion, process->connection())
#define MESSAGE_CHECK_URL(process, url) MESSAGE_CHECK_BASE(checkURLReceivedFromCurrentOrPreviousWebProcess(process, url), process->connection())
+#define MESSAGE_CHECK_COMPLETION(process, assertion, completion) MESSAGE_CHECK_COMPLETION_BASE(assertion, process->connection(), completion)
#define RELEASE_LOG_IF_ALLOWED(channel, fmt, ...) RELEASE_LOG_IF(isAlwaysOnLoggingAllowed(), channel, "%p - [pageProxyID=%llu, webPageID=%llu, PID=%i] WebPageProxy::" fmt, this, m_identifier.toUInt64(), m_webPageID.toUInt64(), m_process->processIdentifier(), ##__VA_ARGS__)
#define RELEASE_LOG_ERROR_IF_ALLOWED(channel, fmt, ...) RELEASE_LOG_ERROR_IF(isAlwaysOnLoggingAllowed(), channel, "%p - [pageProxyID=%llu, webPageID=%llu, PID=%i] WebPageProxy::" fmt, this, m_identifier.toUInt64(), m_webPageID.toUInt64(), m_process->processIdentifier(), ##__VA_ARGS__)
@@ -1171,7 +1172,7 @@
return;
// Inspector resources are in a directory with assumed access.
- ASSERT_WITH_SECURITY_IMPLICATION(!WebKit::isInspectorPage(*this));
+ RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(!WebKit::isInspectorPage(*this));
#if HAVE(SANDBOX_ISSUE_READ_EXTENSION_TO_PROCESS_BY_AUDIT_TOKEN)
ASSERT(process.connection() && process.connection()->getAuditToken());
@@ -6050,6 +6051,8 @@
void WebPageProxy::backForwardGoToItemShared(Ref<WebProcessProxy>&& process, const BackForwardItemIdentifier& itemID, CompletionHandler<void(SandboxExtension::Handle&&)>&& completionHandler)
{
+ MESSAGE_CHECK_COMPLETION(m_process, !WebKit::isInspectorPage(*this), completionHandler({ }, m_backForwardList->counts()));
+
auto* item = m_backForwardList->itemForID(itemID);
if (!item)
return completionHandler({ });
